aboutsummaryrefslogtreecommitdiffstats
path: root/www/apache13-modssl
diff options
context:
space:
mode:
authordinoex <dinoex@FreeBSD.org>2005-07-28 02:07:27 +0800
committerdinoex <dinoex@FreeBSD.org>2005-07-28 02:07:27 +0800
commit79c7dfd914ae1bd6e309eb9ceb0ea8c4900e6455 (patch)
treeaef9b0a2447d5ee4ca7bdb735bfddef784d4ab98 /www/apache13-modssl
parent9570bd22e0c6b8a8314391e8ee18c0e4a0dafb36 (diff)
downloadfreebsd-ports-gnome-79c7dfd914ae1bd6e309eb9ceb0ea8c4900e6455.tar.gz
freebsd-ports-gnome-79c7dfd914ae1bd6e309eb9ceb0ea8c4900e6455.tar.zst
freebsd-ports-gnome-79c7dfd914ae1bd6e309eb9ceb0ea8c4900e6455.zip
- Security Fix CAN-2005-2088
Diffstat (limited to 'www/apache13-modssl')
-rw-r--r--www/apache13-modssl/Makefile2
-rw-r--r--www/apache13-modssl/files/patch-secfix-CAN-2005-208887
2 files changed, 88 insertions, 1 deletions
diff --git a/www/apache13-modssl/Makefile b/www/apache13-modssl/Makefile
index 2a13920c5322..97a41ebdb8af 100644
--- a/www/apache13-modssl/Makefile
+++ b/www/apache13-modssl/Makefile
@@ -7,7 +7,7 @@
PORTNAME= apache+mod_ssl
PORTVERSION= ${VERSION_APACHE}+${VERSION_MODSSL}
-PORTREVISION?= 0
+PORTREVISION?= 1
CATEGORIES?= www security
MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} \
${MASTER_SITES_MODSSL:S/$/:mod_ssl/} \
diff --git a/www/apache13-modssl/files/patch-secfix-CAN-2005-2088 b/www/apache13-modssl/files/patch-secfix-CAN-2005-2088
new file mode 100644
index 000000000000..c4315400577e
--- /dev/null
+++ b/www/apache13-modssl/files/patch-secfix-CAN-2005-2088
@@ -0,0 +1,87 @@
+--- src/modules/proxy/proxy_http.c 2005/07/14 05:09:17 218987
++++ src/modules/proxy/proxy_http.c 2005/07/14 05:19:15 218988
+@@ -121,7 +121,7 @@
+ char portstr[32];
+ pool *p = r->pool;
+ int destport = 0;
+- int chunked = 0;
++ const char *chunked = NULL;
+ char *destportstr = NULL;
+ const char *urlptr = NULL;
+ const char *datestr, *urlstr;
+@@ -338,7 +338,12 @@
+ ap_table_mergen(req_hdrs, "X-Forwarded-Server", r->server->server_hostname);
+ }
+
+- /* we don't yet support keepalives - but we will soon, I promise! */
++ /* we don't yet support keepalives - but we will soon, I promise!
++ * XXX: This introduces various HTTP Request vulnerabilies if not
++ * properly implemented. Before changing this .. be certain to
++ * add a hard-close of the connection if the T-E and C-L headers
++ * are both present, or the C-L header is malformed.
++ */
+ ap_table_set(req_hdrs, "Connection", "close");
+
+ reqhdrs_arr = ap_table_elts(req_hdrs);
+@@ -475,25 +480,40 @@
+ }
+
+ /* is this content chunked? */
+- chunked = ap_find_last_token(r->pool,
+- ap_table_get(resp_hdrs, "Transfer-Encoding"),
+- "chunked");
++ chunked = ap_table_get(resp_hdrs, "Transfer-Encoding");
++ if (chunked && (strcasecmp(chunked, "chunked") != 0)) {
++ ap_kill_timeout(r);
++ return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool,
++ "Unsupported Transfer-Encoding ", chunked,
++ " from remote server", NULL));
++ }
+
+ /* strip hop-by-hop headers defined by Connection and RFC2616 */
+ ap_proxy_clear_connection(p, resp_hdrs);
+
+ content_length = ap_table_get(resp_hdrs, "Content-Length");
+ if (content_length != NULL) {
+- c->len = ap_strtol(content_length, NULL, 10);
+-
+- if (c->len < 0) {
+- ap_kill_timeout(r);
+- return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool,
+- "Invalid Content-Length from remote server",
+- NULL));
++ if (chunked) {
++ /* XXX: We would unset keep-alive here, to the proxy
++ * origin server, for safety's sake but we aren't using
++ * keep-alives (we force Connection: close above)
++ */
++ nocache = 1; /* do not cache this suspect file */
++ ap_table_unset(resp_hdrs, "Content-Length");
++ }
++ else {
++ char *len_end;
++ errno = 0;
++ c->len = ap_strtol(content_length, &len_end, 10);
++
++ if (errno || (c->len < 0) || (len_end && *len_end)) {
++ ap_kill_timeout(r);
++ return ap_proxyerror(r, HTTP_BAD_GATEWAY,
++ "Invalid Content-Length from remote"
++ " server");
++ }
+ }
+ }
+-
+ }
+ else {
+ /* an http/0.9 response */
+@@ -612,7 +632,8 @@
+ * content length is not known. We need to make 100% sure c->len is always
+ * set correctly before we get here to correctly do keepalive.
+ */
+- ap_proxy_send_fb(f, r, c, c->len, 0, chunked, conf->io_buffer_size);
++ ap_proxy_send_fb(f, r, c, c->len, 0, chunked != NULL,
++ conf->io_buffer_size);
+ }
+
+ /* ap_proxy_send_fb() closes the socket f for us */